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Abstract —With the development of wireless communication 
technologies which considerably contributed to the development 
of wireless sensor networks (WSN), we have witnessed an ever- 
increasing WSN based applications which induced a host of 
research activities in both academia and industry. Since most 
of the target WSN applications are very sensitive, security issue 
is one of the major challenges in the deployment of WSN. 
One of the important building blocks in securing WSN is key 
management. Traditional key management solutions developed 
for other networks are not suitable for WSN since WSN networks 
are resource (e.g. memory, computation, energy) limited. Key 
pre-distribution algorithms have recently evolved as efficient 
alternatives of key management in these networks. In the key pre¬ 
distribution systems, secure communication is achieved between 
a pair of nodes either by the existence of a key allowing for 
direct communication or by a chain of keys forming a key-path 
between the pair. 

In this paper, we propose methods which bring prior knowl¬ 
edge of network characteristics and application constraints into 
the design of key pre-distribution schemes, in order to provide 
better security and connectivity while requiring less resources. 
Our methods are based on casting the prior information as a 
graph. Motivated by this idea, we also propose a class of quasi- 
symmetric designs referred here to as g-designs. These produce 
key pre-distribution schemes that significantly Improve upon the 
existing constructions based on unital designs. We give some 
examples, and point out open problems for future research. 

Index Terms —Balanced incomplete block design, quasi- 
symmetric design, key pre-distribution, sensor networks, graphs. 


I. Introduction 

W IRELESS sensor networks (WSN) typically consist of 
a large number of sensor nodes with limited memory 
and power. These networks are used in both military and 
civilian applications. In military applications, sensor nodes 
may be deployed for example in battlefield surveillance, while 
in environmental applications, distributed sensors could moni¬ 
tor physical or environmental conditions such as temperature, 
sound, pressure, etc. and cooperatively pass their data through 
the network to a main location 0 , 0 - Because of the 
sensitivity of most WSN applications, security issue is one 
of the major challenges in the deployment of WSN. 
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Security is an essential question for many sensor network 
applications, especially for military applications. Providing 
security to small sensor nodes is challenging because of the 
resources limitations of sensor nodes in terms of storage, 
computations, communications, and energy. One of the impor¬ 
tant building blocks for the development of security solutions 
in WSN is key management. The key management scheme 
design is more complicated due to the characteristics of the 
WSN such as: (1) The vulnerability of nodes to physical 
attack, where the deployment in a hostile area makes the 
attacker capable to simply compromise any node and to reveal 
its security materials (e.g. keys, functions, ...); (2) The nature 
of wireless communication, where the radio links are insecure 
and an attacker can eavesdrop on the radio transmissions, 
inject bits in the channel, and replay previously overheard 
packets; (3) The density and the large size of the network 
which make the control of all nodes very hard. 

Eor security or privacy reasons, it is often critical to build 
encrypted communications between two sensor nodes using 
a common secret key. Key pre-distribution scheme (KPS) is 
a classical way to set up secret keys among sensor nodes 
before the deployment phase. Compared with online key 
exchange protocols, key pre-distribution is more attractive for 
networks consisting of large number of nodes with limited 
communication/computation resources 0. 

Over the last decade, a host of research on key pre¬ 
distribution issue for WSN have been conducted and many 
solutions have been proposed in literature. Existing KPS fall 
into two categories: probabilistic and deterministic schemes. In 
probabilistic schemes, a direct connection between each two 
nodes is established with certain probability, i.e. probability 
that these two nodes share a common key. In deterministic 
schemes, however, each pair of nodes are known to be directly 
connected or not. 

Eschenauer and Gligor 0 proposed a random key pre¬ 
distribution (RKP) scheme. Later on, there have been some 
improvements on RKP, e.g. improvements on its resilience by 
increasing the “intersection threshold” (the least number of 
common keys for two nodes to establish a direct connection) 
0^ or improvements on its resilience as well as higher 
probability of sharing keys by using deployment knowledge 
0-0. Schemes called “multiple key spaces” are proposed 
that combine different KPS to achieve better performance 

d-ip. 

A simple deterministic scheme assigns a distinct key to 
each link, and 6—1 pairwise keys to each node, where 6 is 
the number of nodes. Choi et al. in proposed an improved 
method where each node only needs to store (6 -f l)/2 keys. 
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However, these methods may not be easily scalable. Camtepe 
et al. |T4), |T5) proposed a novel method that uses block 
designs for key pre-distribution. They proposed a deterministic 
key pre-distribution scheme that maps a symmetric balanced 
incomplete block design (SBIBD) or generalized quadrangles 
(GQ) to key pre-distribution. 

There are some other works that use design theory to 
construct effective KPS. Lee et al. m introduced the common 
intersection designs to KPS. Chakrabarti et al. GZ) used 
transversal designs and merging block techniques. Ruj et al. 
m proposed a KPS that is based on partially balanced 
incomplete block designs (PBIBD). They also used triple 
system to design a probabilistic KPS Later on, Bose et al. 
| [20) proposed an improved construction that combines several 
PBIBDs. Bechkit et al. ED proposed the unital-based key 
pre-distribution scheme (UKP), a deterministic scheme that 
improves the scalability of a network. More detailed surveys 
could be found in |[22l-||2^. 

A. Motivations for Graph-Based KPS 

Usually, the main goal of KPS is to seek a design solution 
that provides more connectivity coverage while requiring less 
memory (or using as few keys as possible). Existing designs 
are often evaluated under criteria such as network connectivity, 
average path length, network resiliency, storage overhead, and 
network scalability. 

Our contributions are motivated by the following observa¬ 
tions; 

• Observation 1: In many applications, there are several 
intended deployment locations, and typically a number 
of sensor nodes are deployed in each of these locations. 
In hierarchical scenarios, each group of sensors placed 
in a location must pass their data to sensor nodes of 
higher ranks. This means that for a hierarchical sensor 
network, nodes in the same group need more connectivity 
than those across groups (Figure [Ta]l. This can be used 
to reduce the number of required keys. 

• Observation 2; In some scenarios, a group of sensor 
nodes are naturally set in a master-slave architecture. 
For instance, the commander of a military needs more 
communications with his lower rank staff. This means 
that one or some nodes are in charge of collecting 
data/sending command signals to the remaining nodes 
(Figure [Tbl). So there are some important connections that 
we need to establish with higher efficiency and security. 

• Observation 3; Two sensor nodes can communicate with 
each other only in a certain distance referred to as the 
radio frequency (RF) range (Figure[T^. If it is known that 
certain pairs never connect directly due to being outside 
of each other’s radio frequency range, then it would be a 
waste of resources to assign common keys to them. 

• Observation 4: If it is known in advance that certain 
connections are more likely to be eavesdropped, the cor¬ 
responding nodes should not share common keys (Figure 



These observations motivate the use of prior information in 
designing improved KPS schemes. 






B. Contribution and Organization of This Work 

We propose graph-based key pre-distributions (block de¬ 
signs) that incorporate prior knowledge of network charac¬ 
teristics and constraints. This provides better security and 
connectivity while requiring less resources once properly used. 
We elaborate on two practical scenarios, and explain why 
the graph-based design is preferable or even required. Some 
previous work that used deployment knowledge to optimize 
KPS may look similar, but is different in concept. For example, 
the scope of “deployment” was usually in a geographic sense. 
However, the model that communication should not pass 
through some links of potential danger was rarely studied, up 
to our knowledge. A general framework that casts the prior 
information as graphs is the main motivation of this work. 

We hrst briefly review the basics of block design theory in 
Section [III Especially, we propose p-designs, a class of quasi- 
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symmetric designs, and initiate the study of the applications of 
them to KPS. We propose the concept of graph-based KPS in 
Section III In Section IV we demonstrate the improvements 
provided by graph-based KPS and ^-designs in a specihc 
scenario. In Section |V] we study another scenario. We further 
provide an algorithmic framework (referred to MAR) for KPS 
design for the second scenario in Section |Vl] Finally, we make 
our conclusions in Section 


II. Background 
A. Block Design Theory 

Block design theory deals with the properties, existence, 
and construction of systems of hnite sets whose intersections 
have specihed numerical properties. A block design (BD) is 
a set system {V, !B). Each element in V is called a point (or 
treatment), and each element in is called a block. 


Definition 1. A Balanced Incomplete Block Design (BIBD) 

with parameters A, k, r, v, and b is a block design in which 
V points are arranged in b blocks, such that each block 
contains k points, each point appears in r blocks, and each 
pair of points appear in exactly A blocks. It is denoted by 
(A, k, r, V, b)-BIBD. It may also be denoted by (A, k, v)-BIBD, 
as r and b are given by 425|/ 


X{v — 1) X{v — l)u 

fc — 1 ’ {k — l)k 


( 1 ) 


Definition 2. A BIBD is a g-design if any two blocks intersect 
in either zero or a fixed number of points g > Q. 


of size b such that its edge set E{G) is a disjoint union of 
v{v — l)/2 subsets, where each subset forms a clique of size 
A. Also, b satisfies the equation 

0 

Proof The proof is given in Appendix[A] as it uses a definition 
to be introduced in Section |In] □ 

Theorem [T] provides a necessary condition for the g = 2 
case. The following result shows the equivalence between g- 
designs with g = I and a class of graphs. 


Theorem 2. The existence of a (X — 1, k,v)-BIBD is equiva¬ 
lent to the existence of a regular graph G of size b such that its 
edge set E{G) is a disjoint union of v subsets each of which 
forms a clique of size r, where 


TV 

T 



+ 1 G N, 


(3) 


N is the set of natural numbers. 


Proof. The proof is given in Appendix[Bj as it uses a technique 
to be introduced in Section |Vll □ 


Lemma 1. (Lemma 2.1) 

If a (A, fc, v)-BIBD is a g-design, then its design graph is a 
strongly regular graph, denoted by srg{b, d, t, u). When A = 1, 
we have 

d=^ — jk, t =^—^ - 2-f (A: - 1)^, u = (4) 

k — 1 k — 1 


A quasi-symmetric design is a BIBD with two possible 
intersection numbers for any pair of blocks. A p-design clearly 
belongs to the class of quasi-symmetric designs when one 
intersection number equals to zero. But the term p-design is 
defined here for convenience. Some properties and construc¬ 
tions of p-designs have been studied in l|26)-||^. 

Clearly, any (A,/c, r, u, &)-BIBD with A = 1 (also referred 
to as a Steiner system) is a p-design with g = 1. 

Also, any unital design is a (l,m-|-l,TO^,m^-|-l,TO^(TO^ — 
m -f 1))-BIBD for some m, and is also a p-design. 

Definition 3. Let G be a graph. Let V{G) and E{G) be 
respectively the set of nodes and edges of G. G is regular with 
degree d if every node of G has incidence degree d. A clique 
in G is a subset of its vertices such that every two vertices in 
the subset are connected by an edge; in other words, it is a 
subgraph of G and is complete. 

Definition 4. A strongly regular graph (SRG) with parameter 
set (b, d, t, u) is defined as a regular graph of size b and 
degree d, such that every two adjacent nodes have t common 
neighbors, and every two non-adjacent nodes have u common 
neighbors. The SRG is denoted by srg(b, d, t, u). 

B. Some Properties of g-Designs 

The following results are helpful for the future analysis. 

Theorem 1. If there exists a {X, k,v)—BIBD which is also 
a g-design with g = 2, then there exists a regular graph G 


III. Graph-Based KPS and Evaluation Metrics 

Block designs are intimately related to key pre-distribution 
schemes. In a KPS system, each sensor node is assigned a set 
of keys, called “key ring”. Let a key correspond to a point, 
and a key ring correspond to a block. Eor example, A unital 
design-based KPS gives m^{mf — m -\- 1) key rings from a 
key pool of wfi -\- 1 keys, such that each key ring contains 
m-\- \ keys. 

In sensor network applications, if two key rings share at 
least one common key, the corresponding two nodes can be 
directly connected to each other. The direct connections form 
a graph, whose nodes correspond to the sensor nodes, and 
edges correspond to direct connections. This graph is referred 
to as the “design graph”. In mathematical terms: 

Definition 5. A design graph for a specific block design is a 
graph Gd whose nodes V(Go) correspond to the blocks. Two 
nodes are connected in Gd if and only if the corresponding 
two blocks share at least one point 

The prior structural information of a network (discussed) 
may also be modeled as a graph: 

Definition 6. A target graph for a specific WSN is a triplet 
of graphs Gt = (Gif,G'lf,Gf) that satisfies 

1) each node of Gf, Gif, or Gf corresponds to a node in 
the WSN, 

2) two nodes are connected in Gf if and only if the corre¬ 
sponding nodes in the WSN must directly communicate. 
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3) two nodes are connected in if and only if the 
corresponding nodes in the WSN are required not to 
directly communicate, and 

4) for any pair of nodes not covered by the above two 
cases, they are not connected in Gf if and only if the 
corresponding nodes in the WSN may communicate via 
a path but not necessarily communicate directly. 

We note that design graphs and target graphs are undirected 
and unweighted. Also in the classical case, Gf, Gf are null 
graphs (denoted by 0) and Gf is a complete graph, i.e. Gt = 
(0, 0,Gcompiete) where Gcompiete denotes the complete graph. 

For a given WSN, assume that we are given a target 
graph Gt that reflects the available prior information. A 
natural question is how to incorporate Gt into the classical 
evaluation metrics, in order to address practical concerns (e.g. 
Observations 1-4). 

First, we briefly review the classical performance metrics in 
terms of a design graph Gn. 

• Direct connectivity coverage is the fraction of direct 
links to all possible links in the network, i.e. the proba¬ 
bility that a given pair of nodes can directly connect. 

• Average path length is the expectation of the length 
of the shortest path between two nodes drawn uniformly 
from the network. It can be calculated as the average 
length of the shortest paths between pairs of nodes in 
Gd- It is defined to be infinite (oo) if there exist two 
nodes that cannot establish a connection path. 

• Network resiliency NR^ measures the fraction of un¬ 
compromised external links when x sensor nodes are 
captured. It can be calculated as the fraction of edges 
that do not contain keys employed in the compromised 
nodes. 

• Storage overhead measures the memory required to store 
the keys in each node, often calculated as the size of each 
block. 

• Network scalability is the total number of keys needed, 
for a given number of nodes. 

Consider a target graph Gt- Some of the above criteria need 
to be modified accordingly. 

• Direct connectivity coverage (DCC) and average path 
length (APL) 

If two nodes do not communicate (or are not connected 
in Gf U Gf), whether they share keys should not be 
considered into the evaluation of a KPS (Observation 1 
and Observation 3). We therefore restrict the calculations 
of the two metrics to the edge set E{GD)i^E{GfyjGf), 
e.g. only consider the edges in Gd that also appear in 
Gif U Gf. 

• Direct important connectivity coverage (DICC) 

Direct important connectivity coverage can be calculated 
as the direct connectivity coverage restricted to Gf, i.e. 
\E{Gf) n E{GD)\/\E{Gf)\ with | • | representing the 
cardinality of a set. This metric is meaningful only when 
Gf is not empty. 

• Network resiliency (NR) 

Observation 4 provides a scenario where certain nodes 
are required not to communicate. This is represented by 


the edges of Gf. Reflected in the metric of network 
resiliency, if two compromised nodes are connected in 
both Gd and Gf, the common keys they share are 
regarded as captured. Thus, NR^ can be calculated as 
the fraction of of edges that do not contain keys that 
are employed by edges in E{Gd) H E(Gf) or the x 
compromised nodes. It reduces to the classical case when 
Gf is a null graph. 

Definition 7. A KPS is graph-based, if it is designed based 
on the target graph. Its performance is evaluated based on the 
metrics above. 

Since it is not easy to provide a universal design that is 
suitable for any situation, we focus on the following two 
different cases of graph-based KPS. 

Scenario 1. Consider the case when Gt = (0,0,G5^), i.e. 
every two nodes may or may not communicate. Notice that 
in this scenario, we need the modified definition of “direct 
connectivity coverage ” and “average path length ”. 

Scenario 2. Consider the case when Gt = (Gp,G^,0), i.e. 
Gf U Gf is a complete graph, and two nodes either must 
communicate or are required not to communicate. Notice that 
in this scenario, we need the modified definition of “network 
resiliency”, and the metric “direct important connectivity 
coverage ”. 


IV. The Gt = (0,0, Gf) scenario 
In this scenario, Gf contains the information about pairs 
of nodes that do not need direct connections. If Gf is non¬ 
trivial, i.e. Gf is not a complete graph, we may improve the 
performance by employing the extra information provided by 

G r 

T ' 

For comparison, we first consider the trivial case in which 
Gf is a complete graph. 


(1) When Gf is a complete graph, Bechkit et al. |21| 
propose a highly scalable KPS using unital design. This was 
shown to outperform other KPS in many aspects. Here, we 
examine a more general case. We use a (A, fc, r, u, 6)-BIBD 
with A = 1 for KPS design, and evaluate the KPS parameters 
as follows (in terms of v and k). 


• Direct connectivity coverage / Direct important connec¬ 
tivity coverage: 

nrr = = ^ = 

bib-l)/2 6-1 

(U - fc)fc2 

• Average path length: If two nodes are not connected, 
there are m > 1 nodes connecting both of them, so the 
minimum path length between these two nodes is equal 
to two. The average path length is thus 

APL = DGC + 2(1 - DGC) = 2- DGG. (6) 


• Network resiliency: For approximate analysis, we assume 
that the captured nodes are uniformly distributed among 
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all the nodes. Since each key occurs in r blocks among 
the total number of b blocks, the probability that a 
key is not compromised when x nodes are captured is 
Cx'^)/Cx)’ ^ = fc(fcli) ■ Further, the probability 

that a given link is compromised is 

rb-r) 

NR^ = (7) 

' (*) 

• Storage overhead: It is the size of each block, i.e. SO = 
k. 

• Network scalability: It is the total number of keys, i.e. 
NS = v. 


(2) When Glp is not a complete graph, in order to exploit 
the graph information, let us consider a network in which 
there are s groups and each of the group contains 6o sensor 
nodes. For each group, there are tq (0 < tq < bo/s) “central 
nodes” (or nodes of higher rank) who are responsible for 
collecting information from all the other nodes in the same 
group. Besides this, between any two groups only the central 
nodes could establish connections; in other words, a “non¬ 
central node” can only communicate with the nodes within the 
same group. In terms of a target graph, is isomorphic to 
the following matrix [Jran\sbo^sbo (two graphs are isomorphic 
if the vertices are the same up to a relabeling): 


Jvr 

Jrr 

Jjr 


= 1 , 
= 1 , 
= 0 , 


VO < (m mod bo), {n mod bo) < tq; 


m 


n 

_^o. 




otherwise. 


( 8 ) 

(9) 

( 10 ) 


Here, [x\ denotes the largest integer that is no more than the 
real number x. Equations and represent the possible 
connections among all the central nodes and among the nodes 
in each group, respectively. 

Our goal is to design a KPS such that any (central or 
non-central) node could transfer its information to any other 
node in the network, while satisfying the required performance 
metrics. A possible graph-based KPS design is to assign keys, 
e.g. via BIBD with A = 1, for each of the g groups, together 
with the group of all central nodes. We now evaluate the 
network performance of this graph-based design, and compare 
it with the classical way. 

Let Vo and (s-f l)t;o be respectively the size of the key pool 
for each group of the graph-based KPS and for the classical 
KPS. Let b = sbo, v = {s + l)r'o- Then we compute: 


Direct connectivity coverage / Direct important connec¬ 
tivity coverage: 

Lor classical KPS, from i> = sSAt “ = 


0(7 AA) = 

further obtain 


0(vb 


and from Equation (5 i we 


DCC = 0{^) = 0{vb-^)=0{vobo^). (11) 


*0(-) notation: / = 0{g) means there exists a positive constant c such 
that c-ig < f <cg. 


Lor approximate analysis, we assume that the edges of 
unital design are uniformly distributed in E{G'j/ and 
E (Gy) (the complement of i7(Gy)). This implies that 

\E{Gij,)nE{GD)\ _ \E{Gd)\ 

\E{G^t)\ 0 ■ 

Lor graph-based KPS, the direct connectivity coverage 
within one group is 0{vobQ^), and within the central 
nodes is 0 (wo(sto)“^) > O{vobo^) using the same 
reasoning. So the overall DCC is at least 

DGGg = Oivobo^), ( 12 ) 

which is as good as Equation GD- 
• Average path length: The given target graph requires that 
any path across two groups consists of two types of 
connections: normal node with central node, and central 
node to central node. So we consider them separately. 
Lor classical KPS, within a group or among central nodes, 
the average path length is less or equal to 

APL = DGC+ 2{l-DGC) = 2-DGG. (13) 

Lor graph-based KPS, connections within any group form 
a SRG, so the average path length is 

APLg = DGGg + 2{1- DGGg)-APL. (14) 


• Network resiliency: We assume that the captured nodes 
are uniformly distributed among all the nodes. Lor clas¬ 
sical KPS, each key occurs in r blocks (from the total 
number of b blocks), and thus the probability that a key 
is not compromised when x nodes are captured is 


NRa, = 




(15) 


where we have applied r = = 0{vk~^) = 0{b^). 

This is also the probability that a given link is not 
compromised. 

Lor graph-based KPS, each key occurs in rg = 0 (&q ) 
blocks (from the total number of b blocks), and thus the 
probability that a key is not compromised when x nodes 
are captured is / (^). Lurther, the probability that 

a given link within any group is not compromised is 


NRgx 



(b—s 



(16) 


The resiliency for the central nodes > NRgx, because 
sTo < bo- As a result, the resiliency in Equation (16i is 
greater than that in ( |T5| ). 

Storage overhead: Lor classical KPS, storage overhead is 
given by 


SO = k = 0{vb 2 ) = s^O{vobo ^). (17) 


Lor graph-based KPS, this is equal to ko = 0{vobo ^) for 
a normal node, and 2ko for a central node, so in average: 

SOg = O{vobo~^) = s-^^ SO. 


(18) 
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In summary, under the same network scalability, the direct 
connectivity coverage and average path length of graph-based 
KPS are no worse than those of the classical ones, while 
the network resiliency and storage overhead are comparatively 
improved. Thus, the overall performance is improved. 

V. The Gt = (G^, G^, 0) scenario 

In this scenario, we want to have a KPS whose design graph 
is exactly Gy. We first consider the case where Gy is (by co¬ 
incidence) the design graph of certain p-design with g = 2 and 
parameters (A, k, r, v, b). We start with such simple and “ideal” 
case for two main reasons: first, it provides a benchmark for a 
more general-purposed approach to be introduced in the next 
section; second, designs for more complex target graphs may 
be derived based upon the ideal ones. 

We immediately obtain a satisfying KPS by the natural 
mapping between blocks of the p-design and key rings. We 
refer to it as the “natural” method. 

The storage overhead is k. The scalability is v. As for 
the network resiliency, if one node (block) is captured, there 
will be ( 2 ) ( 2 ) connections compromised. To observe this, we 
first notice that any pair of points in the block appear in A 
blocks, and there are ( 2 ) such pairs, so ( 2 ) ( 2 ) connections 
are compromised. Moreover, any other connection is secure, 
since the corresponding two blocks share at least one key that 
is not captured. 

Example 1. Let Gy be the graph shown in Figure ^a). As 
we can see, the nodes of Gy could be grouped into seven 
disconnected pairs with all other edges connected in the graph. 
For clarity, the complement of Gy is given in Figure ^b). 
Assume we would like to construct a KPS whose design graph 
is Gy. 

: ^ 

m—m 

(a) (b) 

Fig. 2 : Graph Gy and its complement 

We construct the following g-design with g = 2 and 
parameters (A, k, r, v, b) = (3,4, 7,8,14).- 

V ={ 0102030405060708 }, (19) 

58 ={{01020304}, {01O2O5O6}, {01O2O7O8}, {01O2O6O8}, 
{ 01020507 }, { 01 O 405 O 8 }, { 01 O 4 O 6 O 7 }, 

{ 05 O 6 O 7 O 8 }, { 03040708 }, { 030405 O 6 }, { 02040507 }, 

{02O4O6O8}, {02O3O6O7}, {02O3O5O8}}. ( 20 ) 

Obviously (V,^) forms a g-design (g = 2) whose design 
graph is Gy. In other words, we have obtained a satisfying 
KPS with Qi, i = 1, - ■ ■ ,8, representing the keys. 


TABLE I: Matching and Reducing Algorithm 


Input: Gy = \V{G^),E(G9p)\, positive integer cq. 

Let 6= |y(GT)|,e = |S(Gy)|. 

Initialization: 

1 = 0,0’- = Giy. 

Generate e different keys K = {ki, ■ ■ ■ , fce}. 

Assign K to E(G^), s.t. each edge is assigned a unique key. 

Define 25 = {Si, ■ ■ ■ , Bi,}, where 

Bn = {kt \ kt is assigned to an edge which is incident to node n}. 
Repeat (Clique reduction procedure) 

l = l-yl; 

Find a clique C’ in G*“^ whose size is no larger than co; 

Denote Kqi-\ as the set of keys assigned to E(C’)\ 

Update the blocks: 

Bm = Bm- e V{G’); 

Arbitrarily choose a key k’ from Kqi-i: 

Bm = BmU{fe*},Vmey(CO; 

Update from G’~^ to G‘: 

E{G’) = E(G’-^) - E(C’y, 

Until no clique of size greater than 2 can be found. 

Output: 25, y = 


Next we evaluate the performance of this construction 
by computing resiliency, storage overhead, and scalability 
measures. 

We consider the simple case when one node is captured, 
say Vi = { 04020304 }. In this case, there are 18 connections 
compromised. To observe this, we first notice that any two 
points of Vi appear in exactly 3 blocks; thus, there are 
( 2 ) ( 2 ) “ compromised connections in total Besides this, if 
both points of the intersection of two blocks do not belong to 
Vi, the two blocks are able to communicate in a secure way. 

The storage overhead is the size of each block, i.e. fc = 4. 
The network scalability is the total number of points, i.e. v = 
8. 

Now the question is: for any given target graph Gt = 
(Gy, Gy, 0), does there exist a KPS whose design graph Gy 
is exactly Gy? In fact, we have a positive answer that is 
guaranteed by the following algorithm. 

VI. Matching and Reducing Algorithm (MAR) 

A schematic diagram of the Matching and Reducing Algo¬ 
rithm (MAR) is depicted in Table [I] 

In the initialization step, a unique key is assigned to each 
edge, i.e. two nodes of that edge contain the key. Thus, 
the key ring of each node has been determined. However, 
we are motived to reduce the size of the key pool and key 
rings. Notice that for any clique G in Gy, it will not change 
the design graph if the distinct keys assigned to E{C) are 
replaced by only one key; in other words, if all the nodes of 
G share a common key, they still directly connect with one 
another, and edges outside G are not affected. Therefore, MAR 
looks for cliques in the current target graph, and reduces the 
number of keys within each clique to one, and then updates 
the target graph by removing the clique. The size of the clique, 
however, is upper-bounded by a constant integer cq to ensure 
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a reasonable network resiliency. Consider, for example, if 
is a complete graph, one key is enough for full connectivity; 
however, the the whole network is compromised as long as 
any one node is captured. 


1 1,2 1,3 



Am, m = 1, - ■ ■ , M. Let j/m = Am — 1. It is clear that 

M 

Um ^ d, 1 < j/m < cq—1. (cq is given in the algorithm) 

m—1 

( 22 ) 

Moreover, the number of compromised links when node x is 
captured is: 

M . X 

^’(j/ 1 ,'-- ,J/m) = ^ )■ 

We now evaluate the maximum for F under constraint ( |2^ . 

Let f{y) = Given positive numbers a,b,s in such 

a way that s — a > 0, s — 6 > 0, it is easy to observe that 
/(a)+/(s-a) < f{b)+f{s-b) if and only if |a- f | < |6- f |. 

Given two positive variables yi and 7/2 satisfying t/i + j /2 < 

Co — 1 , we have 

I + ^ 1/ , t y^ + y-^i 

\yi - 2 —I < + 2^2)- 2 —I- 

We conclude that 


Fig. 3: An illustrating example where MAR with cq = 3 is 
applied to a simple graph 

An illustrating example is given in Figure 

We elaborate on the other aspects of this algorithm: 

1) We did not give the details of how to detect cliques, 
or the optimality criteria for clique selection. Indeed, 
MAR encompasses many more algorithms. For example, 
one may propose a specific algorithm that deviates from 
MAR, in order to minimize the total number of keys 
(min |L|), etc. 

2) It is interesting that MAR is applied as a technical tool 
to the proof of Theorem]^ (in Appendix [B] i. 

3) The upper bound of the clique size in MAR is designed 
to ensure network resiliency NR^- But is there any 
theoretical lower bound of NR^ if the clique size is 
bounded by cq? The following theorem gives a positive 
answer. 


A. Network Resiliency for MAR 


Theorem 3. For a given graph Gf, assume that the degree of 
any node is no larger than d, the network resiliency NR^ of 
the KPS determined by the Matching and Reducing Algorithm 
satisfies 


NRx > 1 - 


\E{Gf)\ 


( 21 ) 


where \ denotes the smallest integer that is no less than 

d 

co-l" 

Proof Let us consider an arbitrary node x. Each key that 
is assigned to x is associated with one clique in Gf, due 
to the clique reduction procedure of the MAR algorithm (an 
edge can be regarded as a clique of size 2). Assume that x 
is associated with M cliques, and that clique m is of size 


F{yi,y2, ■ ■ ■ ,ym) < F{yi + 2 / 2 , • • • , 2 /m)- (23) 

Moreover, given two positive variables 2/1 and 7/2 satisfying 
2/1 + 2/2 > Co - 1 , 2/1 < 2/2 < Co - 1 , we have 

I 2/1 + 2/2, I , 2/1 + 2/2 I 

I2/2- 2 —I < |co - 1 - 2 —I- 

We conclude that 

F{yi,y2,-- ■ ,ym) < F{co - 1 , 2/1 + 2/2 - (co - 1 ), • • • , 2 /m)- 

(24) 

By continuous application of Inequalities ( |2^ and ( |24| i, F 
is maximized when 


2/1 = • ■ ■ = 2/M-i = Co - 1, yu = d - {M - l)(co - 1), 

^ d ^ 

M = 

Thus, 


Co - 1 




M = 


Co - 1 


= Fa. 


(25) 


If X nodes are captured, the worst case is that they do 
not share keys and xFq connections are compromised, which 
implies the result in (| 2 T 1 . 

□ 


B. Example 

In this section, we revisit the special case discussed in 
Section lY] i.e. in Gt = (G^,G^,0) is the design graph 
of a p-design with g = 2 and parameters {X, k,r,v,b). Now 
we apply the Matching and Reducing Algorithm and choose 
the parameter co to be A, so that the network resiliency is not 
worse than the “natural” method. Here are the reasons: 

• Due to Theorem [T] the edge set of Gf is a disjoint union 
of ( 2 ) subsets, each of which forms a clique of size A. 
Further, when MAR with cq = A is applied, it is clear 
that the minimal number of keys is achieved when the 
G* in each step is one of the (”) cliques. 























• Therefore, there are ( 2 ) keys in total, and the number of 
keys required by each node is 

d ^ 2|T;(G^)| 1 ^ 2Q(^) 1 ^ /k\ 

A-1 b A-1 b A-1 ^2/’ 

where the last equality is due to Equation Q. 

• If one node is captured, there will be ( 2 ) ( 2 ) connections 
compromised, which is the same as the “natural” method. 

• Finally, if cq is chosen to be larger, the network resiliency 
obviously decreases. 

Returning to Example [T] the parameter cq is chosen to be 
3. There are (") = 28 keys in total, and each node requires 
( 2 ) = 6 keys. The keys/key rings can be realized as: 

={{12,13,14,23,24,34}, {12,15,16,25,26,56}, 

{12,17,18,27,28,78}, {13,16,18,36,38,68}, 

{13,15,17,35,37,57}, {14,15,18,45,48,58}, 

{14,16,17,46,47,67}, {56,57,58,67,68,78}, 

{34,37,38,47,48,78}, {34,35,36,45,46,56}, 

{24,25,27,45,47,57}, {24,26,28,46,48,68}, 

{23,26,27,36,37,67}, {23,25,28,35,38,58}}. 


with graph theory, and applied them to KPS constructions. 
Two specific target graphs are considered. Especially, we 
introduced an algorithm framework called the Matching and 
Reducing Algorithm. Examples are provided to demonstrate 
the performance of the proposed scheme. 

Appendix A 
Proof of Theorem[T] 

Consider a p-design (V, *B) with g = 2 and design graph G. 
Equation Jl 1 implies that G has b = nodes. Because 

two connected blocks share exactly g = 2 keys, all edges in 
G are induced by a pair of keys in V. Besides this, any pair 
of keys induces a clique of size A in G. Two cliques do not 
share an edge, otherwise there exists two blocks that share 
at least three keys. Finally, every block intersect with other 
— 1) blocks, because each block contains 
pairs and each pair belongs to A — 1 other blocks. This implies 
that G is regular. 

Appendix B 
Proof of Theorem|2] 


Here, each key is uniquely denoted by a two-digit integer. For 
example, 12 represents a key, and 13 represents another key. 

Clearly, if one node is captured, 6 • ( 2 °) = connections 
are compromised, which is the same as the “natural” approach. 

Moreover, if cq is chosen to be 2, the network resiliency is 
improved. This is because every connection is secured by a 
unique key, and if one node is captured, only d = 12 < 18 
connections are compromised. However, the storage overhead 
increases and network scalability decreases. 

If Cq is chosen to be 4, the network resiliency decreases. To 
observe this, consider the following case: 

Label the the 14 nodes to be ni, • • • , ni4, and let two nodes 
ni,nj be disconnected if and only if \i — j\ = 7 (Figure]^. If 
we apply MAR with cq = 4, then it can be assumed that the 
following four cliques of size 4 appear in the “clique reduction 
procedure” (by possible relabeling): 

{ni, 712, ns, 774 }, {rii, 715 , Tie, ?^7}, 

{tIi, Tig, Tlio, Hit}) {ni,ni2, 7113, 7114}. 

This means that if node 711 is captured, the four keys, along 
with the 4 • ( 2 ) = 24 > 18 connections among the above four 
cliques, are compromised. 

In summary, the Matching and Reducing Algorithm pro¬ 
vides a general solution for KPS design given an arbitrary 
target graph. Nevertheless, the previous example reveals that 
for specific target graphs (G^), there is a potential advantage 
of using p-designs {g > 1) based KPS in terms of storage over¬ 
head and scalability. We believe that p-design is a promising 
design tool for KPS and leave that for future work here. 


Sufficiency: 

Assume that a (A = 1, k, 7;)-BIBD exists. Let G be its design 
graph. Any point in V induces r nodes that are connected to 
one another, forming a clique of size r. Besides this, any two 
cliques induced by two different points do not share an edge, 
because otherwise these two points appear in two different 
blocks contradicting A = 1. Finally, every block intersects with 
other (r — l)k blocks, because each block contains k points 
and each point belongs to t- — 1 other blocks. This implies that 
G is regular. 

Necessity: 

Let 


Applying MAR to the given graph G for v iterations, we obtain 
(y, ®) together with an empty graph GK Due to MAR, \V\ = 
V, each key appears in r blocks, and each block in *8 contains 

d 2 e 1 vr{r — 1) 1 

r - 1 6 r - 1 2 6(r - 1) 

keys. Next we prove that any pair of keys appear in exactly 
one block. To this end, we let b^j be the number of blocks 
which keys i and j both belong to, and count the value of 
B = X]i<i j<v different ways: on one hand, because 

each block contains k points and there are b blocks, B can be 
calculated as 

k{k—l) k{k — 1) v{v — 1) v{v — 1) 

~ 2 “ 2 k{k - 1) “ 2 ■ 


VH. Conclusion 

We proposed the concept of graph-based KPS and relevant 
evaluation metrics, motivated by several practical observations. 
We introduced the p-designs, studied some of their connections 


On the other hand, any pair of keys appear in no more than 
one block, because G is decomposed into v cliques any two of 
which share no edges. Moreover, B is no more than the total 
number of pairs v{v — l)/2. Therefore, any pair must exactly 
appear in one block. 
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